Fortress in the Cloud

Simone Brunozzi, 

AWS Technology Evangelist, APAC

Certifications & Accreditations

Sarbanes-Oxley (SOX) complianceISO 27001 CertificationPCI DSS Level I CertificationHIPAA compliant architectureSAS 70 Type II AuditFISMA Low ATO

Pursuing FISMA Moderate ATO

Pursuing DIACAP MAC II I -Sensitive

FedRAMP

Service Health Dashboard

Shared Responsibility Model

Customer/SI Partner/ISV controls guest OS-level security, including patching and maintenanceApplication level security, including password and role based accessHost-based firewalls, including Intrusion Detection/Prevention Systems Encryption/Decryption of data. Hardware Security ModulesSeparation of Access

Physical SecurityMulti-level, multi-factor controlled access environmentControlled, need-based access for AWS employees (least privilege)

Management Plane Administrative Access Multi-factor, controlled, need-based access to administrative hostAll access logged, monitored, reviewedAWS Administrators DO NOT have access inside a customer’s VMs, including applications and data

AWS Cloud Security Model Overview

VM SecurityMulti-factor access to Amazon AccountInstance Isolation

• Customer-controlled firewall at the hypervisor level

• Neighboring instances prevented access

• Virtualized disk management layer ensure only account owners can access storage disks (EBS)

Support for SSL end point encryption for API calls

Network SecurityInstance firewalls can be configured in security groups; The traffic may be restricted by protocol, by service port, as well as by source IP address (individual IP or Classless Inter-Domain Routing (CIDR) block).Virtual Private Cloud (VPC) provides IPSec VPN access from existing enterprise data center to a set of logically isolated AWS resources

AWS Computing Platform

AWS Security Resources

• http://aws.amazon.com/security/• Security Whitepaper• Risk and Compliance Whitepaper• Latest Versions May 2011• Regularly Updated• Feedback is welcome

AWS CertificationsShared Responsibility ModelSarbanes-Oxley (SOX) ISO 27001 CertificationPayment Card Industry Data Security Standard (PCI DSS) Level 1 CompliantSAS70 Type II Audit FISMA A&As

Multiple NIST Low Approvals to Operate (ATO)

Actively pursuing NIST Moderate, completed ST&E

FedRAMP

DIACAP MAC III Sensitive IATO Customers have deployed various compliant applications such as HIPAA (healthcare)

SAS70 Type IIWe publish a Statement on Auditing Standards No. 70 (SAS

70) Type II Audit report every six months and maintains a favorable unbiased and unqualified opinion from its independent auditors.

AWS identifies those controls relating to the operational performance and security to safeguard customer data.

Auditors evaluate the design of the stated control objectives and control activities and attest to the effectiveness of their design. They also audit the operation of those controls, attesting that the controls are operating as designed. This report is available to customers under NDA who require a SAS70 Type II to meet their own audit and compliance needs.

ISO 27001

AWS has achieved ISO 27001 certification of our Information Security Management System (ISMS) covering AWS infrastructure, data centers in all regions worldwide;Services: Amazon Elastic Compute Cloud (Amazon EC2), Amazon Simple Storage Service (Amazon S3) and Amazon Virtual Private Cloud (Amazon VPC).

PCI DSS Level 1

AWS has been successfully validated as a Level 1 service provider under the most recently published Payment Card Industry (PCI) Data Security Standard (DSS). Merchants and other service providers can run their applications on our PCI-compliant technology infrastructure for storing, processing, and transmitting credit card information in the cloud. Amazon Elastic Compute Cloud (EC2), Amazon Simple Storage Service (S3), Amazon Elastic Block Storage (EBS) and Amazon Virtual Private Cloud (VPC) are included in the PCI compliance validation.

Physical Security

Amazon has been building large-scale data centers for many years

Important attributes:

Non-descript facilities

Robust perimeter controls

Strictly controlled physical access

2 or more levels of two-factor authControlled, need-based access for

AWS employees (least privilege)All access is logged and reviewed

Fault Separation and Geographic Diversity

Amazon CloudWatch

Auto

Scali

ng

Elastic Load Balancing

Note: Conceptual drawing only. The number of Availability Zones may vary

EU Region (IRE)

Availability 

Zone A

Availability 

Zone B

US East Region (N. VA)

Availability 

Zone A

Availability 

Zone C

Availability 

Zone B

APAC Region(Tokyo) 

Availability 

Zone A

Availability 

Zone B

US West Region (N. CA) 

Availability 

Zone A

Availability 

Zone B

APAC Region(Singapore)

Availability 

Zone B

Availability 

Zone A

Data Backups

Data in Amazon S3, Amazon SimpleDB, and Amazon EBS is stored redundantly in multiple physical locations

EBS redundancy in a single Availability Zone

Amazon S3 and Amazon SimpleDB replicate customer objects across storage systems in multiple Availability Zones to ensure durability

Data stored on Amazon EC2 local disks must be proactively copied to Amazon EBS or Amazon S3 for redundancy

• Enables a customer to create multiple Users 

and manage the permissions for each of 

these Users. 

• Secure by default; new Users have no access 

to AWS until permissions are explicitly 

granted.

Us

• AWS IAM enables customers to minimize the 

use of their AWS Account credentials.  

Instead all interactions with AWS Services 

and resources should be with AWS IAM User 

security credentials.er

• Customers can enable MFA devices for their 

AWS Account as well as for the Users they 

have created under their AWS Account with 

AWS IAM.

AWS Identity and Access Management

AWS Multi-Factor Authentication

A recommended opt-in security feature of your Amazon Web Services (AWS) account

AWS MFA Benefits

Helps prevent anyone with unauthorized knowledge of your e-mail address and password from impersonating youRequires a device in your physical possession to gain access to secure pages on the AWS Portal or to gain access to the AWS Management ConsoleAdds an extra layer of protection to sensitive information, such as your AWS access identifiersExtends protection to your AWS resources such as Amazon EC2 instances and Amazon S3 data

Amazon EC2 Security

Host operating system

Individual SSH keyed logins via bastion host for AWS admins

All accesses logged and audited

Guest operating system

Customer controlled at root level

AWS admins cannot log in

Customer-generated keypairs

Stateful firewall

Mandatory inbound firewall, default deny mode

Signed API calls

Require X.509 certificate or customer’s secret AWS key

Amazon EC2 Instance Isolation

Physical Interfaces

Customer 1

Hypervisor

Customer 2 Customer n…

…Virtual Interfaces

Firewall

Customer 1Security Groups

Customer 2Security Groups

Customer nSecurity Groups

Virtual Memory & Local Disk

Amazon EC2Amazon EC2InstancesInstances

Amazon EC2Amazon EC2InstanceInstance

Encrypted Encrypted 

File SystemFile System

Encrypted Encrypted 

Swap FileSwap File

•• Proprietary Amazon disk management prevents one Instance from Proprietary Amazon disk management prevents one Instance from 

reading the disk contents of anotherreading the disk contents of another•• Local disk storage can also be encrypted by the customer for an Local disk storage can also be encrypted by the customer for an added added 

layer of securitylayer of security

Network Traffic Flow Security

Amazon EC2Amazon EC2InstancesInstances

Amazon EC2Amazon EC2InstanceInstance

Encrypted Encrypted 

File SystemFile System

Encrypted Encrypted 

Swap FileSwap File

iptables

iptables

Amazon

 Security

 Group

sAmazon

 Security

 Group

sInbound TrafficInbound Traffic

•• Inbound traffic must be explicitly specified by protocol, port, Inbound traffic must be explicitly specified by protocol, port, and and 

security groupsecurity group•• iptables may be implemented as a completely user controlled secuiptables may be implemented as a completely user controlled security rity 

layer for granular access control of discrete hosts, including olayer for granular access control of discrete hosts, including other ther 

Amazon Web Services (Amazon S3/SimpleDB, etc.)Amazon Web Services (Amazon S3/SimpleDB, etc.)

Multi-tier Security Architecture Web Tier

Application Tier

Database Tier

EBS VolumePorts 80 and 443 only 

open to the Internet

Engineering staff have 

ssh access to the App Tier, 

which acts as Bastion

All other Internet ports 

blocked by default

Authorized 3rd

parties can 

be granted ssh access to 

select AWS resources, such 

as the Database Tier

Amazon EC2 

Security Group 

Firewall

AWS employs a private network with 

ssh support for secure access 

between tiers and is configurable to 

limit access between tiers

Network Security ConsiderationsDDoS (Distributed Denial of Service):

Standard mitigation techniques in effect

MITM (Man in the Middle):

All endpoints protected by SSL

Fresh EC2 host keys generated at boot

IP Spoofing:

Prohibited at host OS level

Unauthorized Port Scanning:

Violation of AWS TOS

Detected, stopped, and blocked

Ineffective anyway since inbound ports blocked by default

Packet Sniffing:

Promiscuous mode is ineffective

Protection at hypervisor level

Configuration Management:

Configuration changes are authorized, logged, tested, approved, and documented. Most updates are done in such a manner that they will not impact the customer. AWS will communicate with customers, either via email, or through the AWS Service Health Dashboard (http://status.aws.amazon.com/) when there is a chance that their Service use may be affected.

Network Traffic Confidentiality

Amazon EC2 Amazon EC2 

InstancesInstances

Amazon EC2Amazon EC2InstanceInstance

Encrypted Encrypted 

File SystemFile System

Encrypted Encrypted 

Swap FileSwap File

•• All traffic should be cryptographically controlledAll traffic should be cryptographically controlled•• Inbound and outbound traffic to corporate networks should be Inbound and outbound traffic to corporate networks should be 

wrapped within industry standard VPN tunnels (option to use Amazwrapped within industry standard VPN tunnels (option to use Amazon on 

VPC)VPC)

Corporate Corporate 

NetworkNetwork

Internet TrafficInternet Traffic

VPNVPN

Customer’s Network

Amazon Web ServicesCloud

Secure VPN Connection over the Internet

Subnets

Customer’s isolated AWS resources

Amazon VPC

RouterVPN

Gateway

Amazon VPC Capabilities

Create an isolated environment within AWSEstablish subnets to control who and what can access your resourcesConnect your isolated AWS resources and your IT infrastructure via a VPN connectionLaunch AWS resources within the isolated networkUse your existing security and networking technologies to examine traffic to/from your isolated resourcesExtend existing security/management policies within your IT to your isolated AWS resources as if they were running within your infrastructure

Amazon VPC Network Security Controls

Amazon S3 Security• Access controls at bucket and

object level:– Read, Write, Full

• Bucket Policies– Conditional rules based on

account, request IP etc.• Customer Encryption

– SSL Supported• Durability 99.999999999% • Availability 99.99%• Versioning (MFA Delete)• Detailed Access Logging • Storage Device Decommissioning

– NIST 800-88 methods

Amazon Relational Database Service Security

Access based on Database Security Groups

Default Deny All – Allowances by:

• IP range• EC2 Security Group

SSL to protect data in transitUser created with AWS IAM only has access to the operations and domains for which they have been granted permission via policy

Amazon SimpleDB Security

Access based on AWS account IDDomains accessible based on ACL SSL to protect data in transitUser created with AWS IAM only has access to the operations and domains for which they have been granted permission via policyEncrypt data elements not used as keys

*Note: That encrypting data elements limits your ability to select those fields as retrieval keys.

Amazon SQS Security

Scalable Message Queuing ServiceDesigned to be highly available, reliable and durableAccess based on AWS account ID, APL and AWS IAM

Access Policy Language enables the creation of complex rules to enable access to queues based on identity (AWS account number), source IP address, date, time, and more.

AWS IAM user however only has access to the operations and queues which they have been granted access to via policy

SSL to protect data in transit

Amazon CloudFront Security

API is only accessible via SSL-encrypted endpoints and must be authenticatedOrigin data stored in Amazon S3Private content option will only deliver files authorized by securely signed requests

Data Security and Durability provided by Amazon S3Comprehensive access logs Configurable for https only downloads

Amazon Elastic MapReduce SecurityAccess based on AWS account IDAuthenticated APIsSets up Security Groups:

Master Node external access only via SSH

Slave Nodes don’t allow external accessSSL is used to protect data in transit to and from Amazon S3

Thank you

Simone Brunozzi 

simone@amazon.com

Twitter: @simon